dcrat | 434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Size

1.7MB
MD5

88bc360785b47c484011f5eaf67735a2
SHA1

1e868cecddcd99d570efa98d7966a5284d36b2c7
SHA256

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa
SHA512

c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2240	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2240	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3020-1-0x00000000013C0000-0x0000000001580000-memory.dmp	dcrat
behavioral1/files/0x001500000001866d-27.dat	dcrat
behavioral1/files/0x0007000000019229-90.dat	dcrat
behavioral1/files/0x000c000000016d24-123.dat	dcrat
behavioral1/files/0x001000000001879b-225.dat	dcrat
behavioral1/memory/3052-329-0x00000000003C0000-0x0000000000580000-memory.dmp	dcrat
behavioral1/memory/2384-340-0x0000000000930000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/1868-352-0x0000000000A50000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/896-365-0x00000000003E0000-0x00000000005A0000-memory.dmp	dcrat
behavioral1/memory/2952-378-0x00000000000C0000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1544-390-0x0000000000EA0000-0x0000000001060000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.exe
860	powershell.exe
1800	powershell.exe
2716	powershell.exe
2944	powershell.exe
2816	powershell.exe
1284	powershell.exe
1908	powershell.exe
1060	powershell.exe
2656	powershell.exe
1760	powershell.exe
352	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Executes dropped EXE 9 IoCs

pid	Process
3052	OSPPSVC.exe
2384	OSPPSVC.exe
1868	OSPPSVC.exe
896	OSPPSVC.exe
2952	OSPPSVC.exe
1544	OSPPSVC.exe
812	OSPPSVC.exe
1860	OSPPSVC.exe
904	OSPPSVC.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXBE72.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Common Files\System\RCXC4ED.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Common Files\System\RCXC4EE.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\27d1bcfc3c54e0	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\1610b97d3ab4a7	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\24dbde2999530e	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXBE71.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXC27C.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cc11b995f2a76d	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Common Files\System\csrss.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Common Files\System\886983d96e3d3e	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WmiPrvSE.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Common Files\System\csrss.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WmiPrvSE.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCXADEF.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\OSPPSVC.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\RCXADF0.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\OSPPSVC.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\6ccacd8608530f	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXC27B.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\RCXB67F.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\RCXB6EE.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXC076.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXC077.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\es-ES\lsm.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\ehome\OSPPSVC.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXB276.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ehome\RCXC6F2.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\es-ES\lsm.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\Downloaded Program Files\wininit.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\es-ES\RCXABEB.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\wininit.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ehome\RCXC6F3.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\es-ES\101b941d020240	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\ehome\1610b97d3ab4a7	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\es-ES\RCXABEC.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXB277.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ehome\OSPPSVC.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3052	schtasks.exe
1608	schtasks.exe
2640	schtasks.exe
536	schtasks.exe
2876	schtasks.exe
2080	schtasks.exe
1984	schtasks.exe
2336	schtasks.exe
2616	schtasks.exe
2660	schtasks.exe
1056	schtasks.exe
1060	schtasks.exe
1616	schtasks.exe
1036	schtasks.exe
2776	schtasks.exe
2224	schtasks.exe
2788	schtasks.exe
2168	schtasks.exe
576	schtasks.exe
2084	schtasks.exe
2980	schtasks.exe
1524	schtasks.exe
1808	schtasks.exe
1576	schtasks.exe
2976	schtasks.exe
388	schtasks.exe
2364	schtasks.exe
2676	schtasks.exe
1420	schtasks.exe
1108	schtasks.exe
1928	schtasks.exe
1232	schtasks.exe
2636	schtasks.exe
2144	schtasks.exe
1880	schtasks.exe
2484	schtasks.exe
1332	schtasks.exe
1248	schtasks.exe
912	schtasks.exe
2904	schtasks.exe
1868	schtasks.exe
1976	schtasks.exe
596	schtasks.exe
2960	schtasks.exe
1940	schtasks.exe
3004	schtasks.exe
108	schtasks.exe
1668	schtasks.exe
372	schtasks.exe
1844	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2816	powershell.exe
1760	powershell.exe
2944	powershell.exe
1060	powershell.exe
1800	powershell.exe
1908	powershell.exe
2656	powershell.exe
1540	powershell.exe
2716	powershell.exe
352	powershell.exe
860	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3052	OSPPSVC.exe
Token: SeDebugPrivilege	2384	OSPPSVC.exe
Token: SeDebugPrivilege	1868	OSPPSVC.exe
Token: SeDebugPrivilege	896	OSPPSVC.exe
Token: SeDebugPrivilege	2952	OSPPSVC.exe
Token: SeDebugPrivilege	1544	OSPPSVC.exe
Token: SeDebugPrivilege	812	OSPPSVC.exe
Token: SeDebugPrivilege	1860	OSPPSVC.exe
Token: SeDebugPrivilege	904	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1540	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 3020 wrote to memory of 1540	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 3020 wrote to memory of 1540	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 3020 wrote to memory of 1284	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 3020 wrote to memory of 1284	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 3020 wrote to memory of 1284	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 3020 wrote to memory of 1908	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	85
PID 3020 wrote to memory of 1908	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	85
PID 3020 wrote to memory of 1908	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	85
PID 3020 wrote to memory of 1060	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	86
PID 3020 wrote to memory of 1060	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	86
PID 3020 wrote to memory of 1060	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	86
PID 3020 wrote to memory of 860	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	87
PID 3020 wrote to memory of 860	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	87
PID 3020 wrote to memory of 860	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	87
PID 3020 wrote to memory of 2656	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	88
PID 3020 wrote to memory of 2656	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	88
PID 3020 wrote to memory of 2656	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	88
PID 3020 wrote to memory of 1800	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	89
PID 3020 wrote to memory of 1800	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	89
PID 3020 wrote to memory of 1800	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	89
PID 3020 wrote to memory of 1760	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	90
PID 3020 wrote to memory of 1760	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	90
PID 3020 wrote to memory of 1760	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	90
PID 3020 wrote to memory of 352	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	91
PID 3020 wrote to memory of 352	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	91
PID 3020 wrote to memory of 352	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	91
PID 3020 wrote to memory of 2944	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	92
PID 3020 wrote to memory of 2944	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	92
PID 3020 wrote to memory of 2944	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	92
PID 3020 wrote to memory of 2816	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	93
PID 3020 wrote to memory of 2816	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	93
PID 3020 wrote to memory of 2816	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	93
PID 3020 wrote to memory of 2716	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	94
PID 3020 wrote to memory of 2716	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	94
PID 3020 wrote to memory of 2716	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	94
PID 3020 wrote to memory of 444	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	107
PID 3020 wrote to memory of 444	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	107
PID 3020 wrote to memory of 444	3020	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	107
PID 444 wrote to memory of 2916	444	cmd.exe	109
PID 444 wrote to memory of 2916	444	cmd.exe	109
PID 444 wrote to memory of 2916	444	cmd.exe	109
PID 444 wrote to memory of 3052	444	cmd.exe	110
PID 444 wrote to memory of 3052	444	cmd.exe	110
PID 444 wrote to memory of 3052	444	cmd.exe	110
PID 3052 wrote to memory of 1616	3052	OSPPSVC.exe	111
PID 3052 wrote to memory of 1616	3052	OSPPSVC.exe	111
PID 3052 wrote to memory of 1616	3052	OSPPSVC.exe	111
PID 3052 wrote to memory of 2876	3052	OSPPSVC.exe	112
PID 3052 wrote to memory of 2876	3052	OSPPSVC.exe	112
PID 3052 wrote to memory of 2876	3052	OSPPSVC.exe	112
PID 1616 wrote to memory of 2384	1616	WScript.exe	113
PID 1616 wrote to memory of 2384	1616	WScript.exe	113
PID 1616 wrote to memory of 2384	1616	WScript.exe	113
PID 2384 wrote to memory of 2804	2384	OSPPSVC.exe	114
PID 2384 wrote to memory of 2804	2384	OSPPSVC.exe	114
PID 2384 wrote to memory of 2804	2384	OSPPSVC.exe	114
PID 2384 wrote to memory of 588	2384	OSPPSVC.exe	115
PID 2384 wrote to memory of 588	2384	OSPPSVC.exe	115
PID 2384 wrote to memory of 588	2384	OSPPSVC.exe	115
PID 2804 wrote to memory of 1868	2804	WScript.exe	116
PID 2804 wrote to memory of 1868	2804	WScript.exe	116
PID 2804 wrote to memory of 1868	2804	WScript.exe	116
PID 1868 wrote to memory of 2032	1868	OSPPSVC.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
"C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\opRv074rjp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2916
- - C:\Windows\ehome\OSPPSVC.exe
    "C:\Windows\ehome\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c10f47a8-ed5d-4b59-b373-1002ea6b7eb0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fba70df-3b58-4055-b739-b5dc0cffa24a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ec53d72-26f8-44d0-8d02-e5456c217db2.vbs"
        8⤵
        
        PID:2032
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6299f60d-fa22-4763-a271-af1901c0fedd.vbs"
        10⤵
        
        PID:1920
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bce2096-a79b-43d9-9ad9-66f9d95c7ec3.vbs"
        12⤵
        
        PID:2660
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\672f2024-89ef-4220-a6e6-5d690fcce45c.vbs"
        14⤵
        
        PID:2256
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c83e4b39-7871-40b0-bd5d-51697d94b8cd.vbs"
        16⤵
        
        PID:2872
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\021f9006-abdc-4758-9d35-034b1f9ef876.vbs"
        18⤵
        
        PID:2456
        
        C:\Windows\ehome\OSPPSVC.exe
        
        C:\Windows\ehome\OSPPSVC.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2010529a-7852-4763-b0a1-c6db72bca87b.vbs"
        20⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a922fe0b-b0ee-4e0b-acca-4ebbbdf55f05.vbs"
        20⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef6d55b9-3ce6-431b-92d3-af0e5acf8021.vbs"
        18⤵
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfd746fa-70aa-4cdc-987e-e30094f0b13f.vbs"
        16⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd2b1d5-d22f-407c-bd29-c5d4d857fd55.vbs"
        14⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\531b8619-cffe-4dc6-b2ab-ed375a37f323.vbs"
        12⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5350fb4b-88ae-4193-a98b-936339907863.vbs"
        10⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451c5718-4a4a-4b4a-b59c-92f0cbeed5ba.vbs"
        8⤵
        
        PID:1036
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9553c1d-b7ec-412c-8ff3-775d0402a6ea.vbs"
        6⤵
        
        PID:588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b512338-e083-419d-8c0e-ce465352db4a.vbs"
      4⤵
      PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.7MB

MD5
88bc360785b47c484011f5eaf67735a2

SHA1
1e868cecddcd99d570efa98d7966a5284d36b2c7

SHA256
434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

SHA512
c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RCXCAFB.tmp

Filesize
1.7MB

MD5
ddf46c96ff309897ca2eab07a4ed18cf

SHA1
4375f4b740b27a4290ea6079258bd89c79c91b51

SHA256
5263fb3cf04847bcaae2646f3015e8a2b6a8be68c576d08ddb66ed84dec64db1

SHA512
73b9675b4b40d1bc38f33a5571b42698a7be259386add39397bac0673f8fb5bca53a1c6f1cc1a984edc30104466d529d938c70cdd228d484bb7d3ed9d5967575

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe

Filesize
1.7MB

MD5
8fe0f93ce6792fbdb96c1cb715350a57

SHA1
7c43c8054a7dac1576e2a11bbf2c463af4e9bc47

SHA256
c8edd836a65aeefecca095e09887ddb309361397c10a59ba6b40fc8a1eb806ab

SHA512
7b68aa8502b2b8ce001e726d661ebbe146b96365cd0f568547e5bb65d85c164b4040790867a9c3d36d619c7853f794d247b61b6a481ae67c4ad655de2aa7a534

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\System.exe

Filesize
1.7MB

MD5
738275a67ab128aa8bd7baad79ebe142

SHA1
79e77d8917e7edcc544812d232174d24feb1a867

SHA256
16146877d0f5d65fc6535a13f13065aa8e999b8c76cc1dc2810dad639de308ae

SHA512
2b48f8cc9e2ed9082ba96deaa0d04e1f9213f12425088c783a1bca5353b1617c1e532f09350b61865cf53216c54ff60fb0f66dc5833c37f014acb8aba0b46243

Download Submit
C:\Users\Admin\AppData\Local\Temp\021f9006-abdc-4758-9d35-034b1f9ef876.vbs

Filesize
704B

MD5
1d31f235aa4616965602013a02e0c0b4

SHA1
d0cb2bf96b8705e2734420965fc3fe3256768f06

SHA256
3d50200b93e9d338913d53a8812ea4089542a618ddd139a5051b9c37498ac9c1

SHA512
2e4da018183dc29f5440bbd179acb14172faf5d20ab2941a60ba4a45d986647d88fb3bed948ce1c1c56ec6d574f9ee0c5590f134cfa068c14da700c6adaff66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2010529a-7852-4763-b0a1-c6db72bca87b.vbs

Filesize
703B

MD5
6a86ed8a6232dcd8e060c4edff162630

SHA1
63178f2e7ff4223dfdfc9ff235932b2a57ca307d

SHA256
125ece2891edd63d770df71fa8d1456e76220cb8884f279bd84555361b4c52ed

SHA512
123f30394830308dce131779f345afe27fcd2c1077482c0f8a66ff54ba1db9eada24603a265d14fd2841934a82217905af47b9670e41fbd0261b7cbf55be7de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bce2096-a79b-43d9-9ad9-66f9d95c7ec3.vbs

Filesize
704B

MD5
55930e02be971fbf64a870130fb1503a

SHA1
9ad3d5eda6e3810737d067878bdd1bb6873537f6

SHA256
615918f5340334fd473137cbfc7cbe0fbd8f11626b8f6a6badffe8b3b29b93e7

SHA512
8669a567d85d04e4aa500ed65814141cd3c4930d43129533f4c8cd394cb5082b82a3a19f3318871b9997c02293eaed21c19d853117aa948ab19587301a371358

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ec53d72-26f8-44d0-8d02-e5456c217db2.vbs

Filesize
704B

MD5
083fc28b55e47fc6049dafb8f5b80100

SHA1
d0669a6beefea5df73be50065f47fd30717c28d5

SHA256
fe6db67da0aa9c86312d8bd9b5fb3b08b14b8e3e3b9199f1b9874619f71e9454

SHA512
908b6ca117f10fa6fbbe3be1fc8e2bcbce2326206bedcf652efca70798807d37ecadf40ac2fb47c1622114e259c7fe1ba85c4bc63673d7d078a7978ec9c87c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fba70df-3b58-4055-b739-b5dc0cffa24a.vbs

Filesize
704B

MD5
7e61a8bc0aa4f4a0c9fd62a894826154

SHA1
698fbfcefe079e9ed664d5466f7f292a707d6cd3

SHA256
2bd2f6131823584487e8c4373bdd2c5db0b5e70a57cbe969a75459ec8fd419fd

SHA512
40e9c914a91ae3d66f044c510c738f461bacfb1a1fd20dc1c05fcbd497ef9dd07f001f14fc4b1c9a372ad8b2b79f0d091d66a2d780eddfbdc825acdcb9ee415f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b512338-e083-419d-8c0e-ce465352db4a.vbs

Filesize
480B

MD5
e4c689b60dac528dc7c802abe3bc9c1a

SHA1
66b0ce99deb07d48940eb33b377e04938c7db351

SHA256
9fa416066d54af6df66b40248eacdac6398682a1822a05fdbfa3758e824fc1bf

SHA512
e862de9f9e82fdcf8ee9eb09f4882f2c20b48f66cb290d86df10e05ab9544e3f719bd16551c5a0254ef14d297189eca9a88ec9f6b90aec1ccaface3f2c9a7951

Download Submit
C:\Users\Admin\AppData\Local\Temp\6299f60d-fa22-4763-a271-af1901c0fedd.vbs

Filesize
703B

MD5
f527793afa7efd7613a20ccfd79891e7

SHA1
c6f5116187e2df3dc914bb1df45e905bc555f042

SHA256
5e5980f3ec6828f481855fbd588511854c72d116b0b298a7195f6abe1be731a2

SHA512
6ae3acb361835c1453534cf96f8f1cb5ed4b8f1df3b1929230318476196f7759b8aba9a9d9c7c2dce50a6aff4fef2084ef1664dbf4825e8fdc5b48e80a0128b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\672f2024-89ef-4220-a6e6-5d690fcce45c.vbs

Filesize
704B

MD5
7fd45e8f7cedf95e5b646c306490753d

SHA1
af1d09a18889916b75a36ee4341d5a7b7543941e

SHA256
f13137de02badb7ae6a2783b0ab4b23f054f1f67cb15be29243fe1ad9dbc7dc6

SHA512
cb7ee78d5677b1787939901ae54dd9a2c783477f812a2d1726d54884d1227f567ba4020ff72f4483944f3d33bbd793221613c0557e9de0999445d4c978feab04

Download Submit
C:\Users\Admin\AppData\Local\Temp\c10f47a8-ed5d-4b59-b373-1002ea6b7eb0.vbs

Filesize
704B

MD5
485388cc584bb93622779bcd77816582

SHA1
ed7ade67ab6ba5f32f2d02651ac27118c5aba278

SHA256
42f9adfef7dc56bb630f1a11407c8e619b3a8c5432501ecb4af3861265952bd3

SHA512
36dc56ff3976ce1cb4a279b468fa232a748396a58456fc5b9fe79ff2120e68495fd4b5548824cb0731a2727049bdefeffe25456553a54cf25d33ee3186881e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\c83e4b39-7871-40b0-bd5d-51697d94b8cd.vbs

Filesize
703B

MD5
57da61f84c94a8b4f6cbd9fbe5b09bbb

SHA1
deb89dc6616229d87f112ecd191ceecad06af442

SHA256
64ffca3f8de1fabc9ee3bf4aae76fd9a7451aaba222b6b3b359dc56a14d89c0a

SHA512
99f54c77306027ad0d622fecb58672847b3c5e27c94ccec941320ceeba25c53d0cf0f94b2fbdb43a918bc120234fecd16ab21c0b92341ecdfd8e7fed4a55356d

Download Submit
C:\Users\Admin\AppData\Local\Temp\opRv074rjp.bat

Filesize
193B

MD5
e040926087b6a9120cb597345f9e5533

SHA1
4152fa4fde57889c13188b79ac28c25354ca5287

SHA256
c0635639aedd3e91a60b80cb4da8bb53f6edf525105eaa37d84a280a75dceba9

SHA512
7ef506b424452f733c0051f594b426de0fdc7f439c87b2bf4920b59fa0c2bcb214e9fd7b43c53eba4fa7b2c122572aee1fc94f80bc2b30ba008891994519dda0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3c87acc723b9bd9af0f20cfbee450776

SHA1
016d7c5fe90b61da952f35d11ca1939b0df07737

SHA256
0c04cb4356b902aad86240b52c4c3f6c965539b863cd18da158485981311a298

SHA512
22ac2dff7e8c668c1a118ce977bfad91fc11ea69663029b43b2ad16a31805a4cf9db257523fa94b3a86a82bbcb99e6ffb84b1c4cc9a8ec7baf63b972502b1ac9

Download Submit
memory/896-365-0x00000000003E0000-0x00000000005A0000-memory.dmp

Filesize
1.8MB

Download
memory/896-366-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/1544-390-0x0000000000EA0000-0x0000000001060000-memory.dmp

Filesize
1.8MB

Download
memory/1860-413-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1868-352-0x0000000000A50000-0x0000000000C10000-memory.dmp

Filesize
1.8MB

Download
memory/1868-353-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2384-340-0x0000000000930000-0x0000000000AF0000-memory.dmp

Filesize
1.8MB

Download
memory/2816-291-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2816-273-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2952-378-0x00000000000C0000-0x0000000000280000-memory.dmp

Filesize
1.8MB

Download
memory/3020-14-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/3020-0-0x000007FEF6543000-0x000007FEF6544000-memory.dmp

Filesize
4KB

Download
memory/3020-274-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-209-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x00000000013C0000-0x0000000001580000-memory.dmp

Filesize
1.8MB

Download
memory/3020-184-0x000007FEF6543000-0x000007FEF6544000-memory.dmp

Filesize
4KB

Download
memory/3020-20-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-17-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/3020-15-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/3020-16-0x0000000001230000-0x000000000123C000-memory.dmp

Filesize
48KB

Download
memory/3020-13-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/3020-234-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-12-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/3020-11-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/3020-9-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/3020-8-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/3020-7-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3020-6-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/3020-4-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/3020-5-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/3020-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/3020-2-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-329-0x00000000003C0000-0x0000000000580000-memory.dmp

Filesize
1.8MB

Download